E92 PCM Reverse Engineering

[Gatecrasher]

If you're looking at the code and you want to match RAM addresses up to the EEPROM parameter block in the flash dump, subtract 3FFF04A0 from the RAM address to get the flash file location. So the VIN for example is at 40000554 in the code. 40000554 - 3FFF04A0 = 100B4.

This is probably more trivia than anything, but my 2015 Tahoe bench ECM has the same bootloader (12656994) as the 2016 Silverado dump. All the other hardware and software part numbers are different though. I wish we really knew what was different at the hardware level. It would make it a lot less risky to swap software around.

[bubba2533]

What software is everyone using to do testing of commands etc. ? I know there has to be some freeware for CAN communications.

[kur4o]

What software is everyone using to do testing of commands etc. ? I know there has to be some freeware for CAN communications.

You can use Universal Patcher but a good quality j-2534 tool will be needed. You can also run some custom scripts if you like, and log all traffic to a file.

[bubba2533]

I have an Tactrix Openport 2.0 cable and a VX Nano. Are either one of those good enough?

Edit: Do you have any documents or help section I can reference for Universal Patcher to get started?

[ironduke]

What software is everyone using to do testing of commands etc. ? I know there has to be some freeware for CAN communications.

If your looking for quick and dirty testing I used to use an elm327 and a program called termite. It's just a serial com program like hyperterminal..

I like termite because it has 'function keys'.. when you enable it a screen pops up where you can program in messages that get sent when you use a function key.
With a little practice you can even change the vin.. seed is F1, send key is F2, send first line of vin is F3, then F4 and F5.. lol.. timing is tricky though..

Nowadays I just use visual studio and work off of a command line program I have, only takes a second to build and run and I can change it up pretty quick..

kurdo has been playing with universalpatcher a lot, even sent me a few scripts, I gotta find some time to check that out some more as it looks pretty nice to use for testing.

[bubba2533]

I'm mainly just wanting to make sure my second PCM is alive. I made a bench power harness and I'm not getting any comms. I don't know why I didn't think of this first, but I tested with a commercial tuning software/cable and I'm not getting anything.

[ironduke]

I'm mainly just wanting to make sure my second PCM is alive. I made a bench power harness and I'm not getting any comms. I don't know why I didn't think of this first, but I tested with a commercial tuning software/cable and I'm not getting anything.

For something like that I really like the data bus diagnostic tool(DBTD) that gm has.. It only works with the MDI/MDI2 afaik and it needs to be used with techline disconnect and a valid gds2 lease though.
it can be used as a scope pretty much and you can see the canbus data lines and see what they're doing..

I've got the install msi/exe for the DBDT but it's useless unless you have gds2 running and have a valid lease.. no idea how much work it would take otherwise ot get working.

[Gatecrasher]

I've been using DrewTech's J2534 bus analysis tool. (NOT the J2534 Toolbox). It's probably the single most useful tool I have.

Their current version is 1.0.14, but it's got some bugs in it. 1.07 seems a lot more stable. https://www.drewtech.com/downloads/tool ... 0v1.07.msi

It's got some limitations, but it's fast, simple and free. It's also open source.

I've used it with the OP2 in the past. It'll be fine for an ECM, since OP2 only does high speed CAN. I've got an MDI for the low speed stuff. Anyway, to do a basic comms test, start the app, click Load DLL, click open under J2534 devices, and then select CAN in the protocol dropdown. Then click connect. Go to the filters tab, click create pass all filter, and then click apply. Go back to the messages tab and click start. You should see traffic.

I wired mine up according to the IOTerminal PDF I linked to earlier. It worked on the first try.

[bubba2533]

Ok, I got it. Needed power to the pin 18 in the IOTerminal PDF you linked.

Edit:

I cleaned up my bench wiring now that I know It works.

I was also able to connect with the Tactrix and Drew Tech Tool very easily thanks to your help. I’m going to have to play around with it some to get more familiar.

Capture.PNG (35.52 KiB) Viewed 2322 times

[kur4o]

Here are some basic instruction how to log with universal patcher.

get the program here

https://github.com/joukoy/UniversalPatc ... r-Full.Zip

unzip and run exe.
Goto-utilities->logger it will open this window.

CAN_settings.png (82.02 KiB) Viewed 2317 times

Select device from dropdown, and set other settings as per screenshot. Than connect. To see all traffic clear filter box. You can set all kind of filters, and use multiple of them.

I attached some scripts that you can use as a base. You can do all kind of things with them. Unlock pcm and send some commands and so on. These are set for tcm so change the CAN header from 000007e2 to 000007e8 or whatever the pcm id is.